SSHD / AnonCVS Port Bouncing Nastyness Advisory URL: http://pacsec.jp/advisories.html Summary: -------- Sites with default SSHD configs and anonymous CVS or other "public" access are vulnerable to port bounce attacks. Details: -------- SSHD defaults to AllowTcpForwarding "yes" in /etc/ssh/sshd_config. I'm told there are some good reasons for keeping this like that. Normally this is not an issue because you have to authenticate and log in to enable the port forwarding. However this allows some fairly evil port bouncing misbehaviour, after authentication when combined with anonymous access. This could be an issue for any site with a "well known" login credentials like "anoncvs", or become a potential problem for other no-shell type logins for ssh services. The most commonly available such service is AnonCVS repositories. (Some repositories like the OpenBSD cvs servers have been notified and have now reconfigured their systems to avoid issues with this.) So these kinds of public access systems should make sure to explicitly override the default setting of AllowTcpForwarding to "no" in /etc/ssh/sshd_config to avoid their system being used for arbitrary tcp port redirection and many errr... "games". Depending on the configuration this port bouncing can be active for only a short period of time after initiation, or until the process terminates, but even in the best case it can be enough time to inject something like a mail message. (The most evil application of this IMHO could be another vector for anonymous spam injection. So check your code repositories now to make sure you aren't giving spammers another toy.) So these kinds of public access systems should make sure to explicitly override the default setting of AllowTcpForwarding to "no" in /etc/ssh/sshd_config to avoid their system being used for arbitrary tcp port redirection and many errr... "games". Depending on the configuration this port bouncing can be active for only a short period of time after initiation, or until the process terminates, but even in the best case it can be enough time to inject something like a mail message. (The most evil application of this IMHO could be another vector for anonymous spam injection. So check your code repositories now to make sure you aren't giving spammers another toy.) Fix: echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config Systems Affected: - All recent versions of OpenSSH that have publicly acessible connections. - Any other SSH Daemon that supports tcp port forwarding. Credits: - Johan Beisser <jan@xxxxxxxxxxx> discovered the issue and wants to give shit to the people who ignored it when he mentioned it to them in March :-) - Tim Newsham <newsham@xxxxxxxx> of the The Logan Group did research on the extent of the problem, demonstrated real world use, and highlighted key threats caused therein. - Christian "naddy" Weisgerber <naddy@xxxxxxxxxxxx> has been talkign about this for "years" and added AllowTcpForwarding. Thanks :-) -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan Nov 11-12 2004 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
